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Abstract 


In  2003  and  2004  the  Center  for  Infonnation  Systems  Security  Studies  and  Research 
(CISR)  at  the  Naval  Postgraduate  School  organized  tutorials  and  workshops  with  the 
intent  of  increasing  the  capacity  of  the  United  States  higher  education  enterprise  to 
produce  professionals  in  the  fields  of  Information  Assurance  (IA)  and  computer  security 
by  hosting  a  series  of  workshops  for  education  in  Information  Assurance.  The  target 
audience  of  the  workshops  has  been  2-year,  4-year  college,  and  university-level 
educators  who  have  responsibility  for  teaching  curricula  that  are,  or  could  be,  related  to 
Infonnation  Assurance  issues.  Participation  by  instructors  from  institutions  serving 
under-represented  groups  was  high.  Attendance  at  the  tutorials  was  maximized  both 
years.  The  participants  indicated  that  they  benefited  substantially  from  both  the  tutorials 
and  the  subsequent  gathering  of  IA  educators  at  the  Workshop  on  Education  in  Computer 
Security  (WECS). 


Scholarship  for  Service: 

IA  Tutorials  and  Workshops  for  Educators 

Final  Report  for  NSF  Award  Number  0210762 

Overview 

The  primary  objective  of  this  project  was  to  increase  the  capacity  of  the  United  States 
higher  education  enterprise  to  produce  professionals  in  the  fields  of  Information 
Assurance  (IA)  and  computer  security  by  hosting  a  series  of  workshops  for  education  in 
Information  Assurance.  The  target  audience  of  the  workshops  has  been  2-year,  4-year 
college,  and  university-level  educators  who  have  responsibility  for  teaching  curricula  that 
are,  or  could  be,  related  to  Information  Assurance  issues.  Participation  by  instructors 
from  institutions  serving  under-represented  groups  was  high. 

We  developed  and  hosted  a  two-year  series  of  invitational  workshops  for  Information 
Assurance  education.  The  format  for  each  workshop  was  three  sequential  sessions:  a 
tutorial  session,  a  refereed  paper  session,  and  a  working  session.  This  sequence  allowed 
newer  practitioners  to  become  knowledgeable  about  the  basics  of  IA,  provided  an 
opportunity  for  experienced  practitioners  to  present  new  ideas  for  discussion,  and 
allowed  both  groups  to  interact  in  a  problem  solving  context  to  develop  solutions  for 
point  issues  presented  by  the  workshop. 

The  tutorial  sessions,  attended  by  19  participants  in  2003  and  20  participants  in  2004, 
provided  education  to  faculty  about  the  fundamentals  of  information  assurance  and 
computer  security  and  to  improve  their  instructional  capability  in  these  areas.  The  paper 
sessions  provided  a  forum  for  presentation  and  discussion  of  recent  pedagogical  and 
technical  advances  in  the  field.  In  addition,  activities  in  the  working  session  encouraged 
creative  interaction  regarding  current  issues  for  education  in  Information  Assurance. 

A  significant  effect  of  the  commingling  of  experienced  and  inexperienced  practitioners 
has  been  enhancement  of  the  sense  of  community  for  IA  educators,  fostering 
collaboration  and  dialogue  among  institutions  offering  courses  and  programs  in 
Infonnation  Assurance.  The  multi-year  fonnat  has  allowed  faculty  to  spend  time  in  their 
own  environment  and  return  to  the  workshop  with  experiential  questions  and  insight. 

For  the  tutorials,  model  materials  for  classroom  presentation  and  demonstration  were 
prepared,  as  well  as  example  materials  for  laboratory  experimentation.  The  workshop 
was  publicized  extensively  to  ensure  participation  of  demographic  groups  currently 
underrepresented  in  the  IA  education  community.  In  this  respect,  the  program  has  been 
highly  successful.  The  net  effect  of  the  proposed  activities  has  been  to  directly  increase 
the  national  capacity  for  education  in  Infonnation  Assurance  as  well  as  to  extend  the 
knowledge  and  expertise  of  IA  to  a  range  of  participants  that  is  more  representative  of  the 
national  profile. 
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Program  Organization 

This  project  developed  and  hosted  a  two-year  series  of  invitational  workshops.  The 
format  for  each  workshop  was  a  tutorial  session  followed  by  a  larger  workshop  with 
refereed  paper  and  working  sessions.  This  sequence  allowed  newer  practitioners  to 
become  knowledgeable  about  the  basics  of  IA,  provided  an  opportunity  for  experienced 
practitioners  to  present  new  ideas,  and  then  allowed  both  groups  to  interact  in  a  problem 
solving  context  to  develop  solutions  for  point  issues  presented  by  the  workshop. 

In  effect,  the  investigators  had  the  job  of  organizing  not  only  a  set  of  tutorials  but  a  small 
conference  as  well.  Each  of  the  workshops  built  upon  the  success  of  the  earlier 
Workshops  in  Computer  Security  Education  (WECS)  that  had  been  held  in  California.  In 
2003,  the  workshop  was  combined  with  the  Third  World  Conference  on  Information 
Security  Education  (WISE),  sponsored  by  the  international  Federation  for  Infonnation 
Processing  (IFIP).  WISE  attracted  over  30  paper  submissions  and  a  larger  number  of 
participants.  This  two  and  a  half  day  international  conference  followed  the  three  days  of 
tutorials.  In  the  second  year,  NPS  hosted  a  WECS  workshop,  which  was  attended  by  IA 
educators  from  throughout  the  US.  The  proceedings  of  the  2004  WECS  included  papers 
not  only  from  experienced  educators  but  papers  by  participants  in  the  2003  tutorials. 

Each  year  participants  in  the  tutorials  were  supported  so  that  they  could  stay  for  the 
conference/workshop.  This  had  the  beneficial  result  of  exposing  the  tutorial  participants 
to  other  IA  educators  with  philosophies  and  ideas  different  from  those  at  NPS.  An 
additional  benefit  of  the  program  was  the  commingling  of  experienced  and  inexperienced 
practitioners  that  enhanced  the  sense  of  community  for  IA  educators,  fostering 
collaboration  and  dialogue  among  institutions  offering  courses  and  programs  in 
Information  Assurance. 

Tutorial  and  Workshop  Announcement 

The  workshops  were  publicized  extensively  to  ensure  achievement  of  the  targeted 
attendance  level  as  well  as  to  help  increase  participation  of  demographic  groups  currently 
underrepresented  in  the  IA  education  community.  The  first  workshop  was  scheduled  for 
late  June  and  the  second  took  place  in  early  July  2004.  These  dates  were  chosen  to 
facilitate  faculty  attendance.  For  tutorial  participants  a  stipend  for  travel  and  local 
accommodations  helped  to  encourage  attendance  and  to  defray  costs.  Both  workshops 
were  held  at  the  Naval  Postgraduate  School  (NPS),  in  Monterey,  California. 

A  press  release,  an  example  of  which  is  found  in  Appendix  D,  provided  further  visibility 
for  the  workshops. 

Tutorial  Material 

A  set  of  educational  materials  for  use  by  workshop  participants  was  developed. 

Materials  for  the  core  tutorial  sections  were  based  on  the  CISR  curriculum.  In  some 
cases,  the  materials  were  a  straightforward  adaptation  of  CISR  class  and  lab  material  to 
the  tutorial  format;  in  other  cases,  the  materials  were  entirely  new,  or  represented  a 
substantial  revision  of  existing  instructional  materials.  Materials  included  course  notes, 
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graphic  presentations,  and  classroom  and  lab  exercises. 

Lecture  and  lab  material  was  centered  on  an  existing  course  -  Introduction  to  Infonnation 
Assurance:  Computer  Security.  The  course  was  designed  by  CISR  members  with  the  goal 
to  provide  necessary  prerequisite  infonnation  to  students  pursuing  a  broad  range  of  IA 
topics,  as  well  as  to  provide  a  background  for  all  students  to  understand  and  respect  the 
need  for  computer  security.  The  course  description  is: 

Provides  a  comprehensive  overview  of  the  terminology,  concepts,  issues, 
policies,  and  technologies  associated  with  the  field  of  Information 
Assurance.  It  covers  the  notions  of  threats,  vulnerabilities,  risks  and 
safeguards  as  they  pertain  to  the  desired  information  security  properties 
of  confidentiality,  integrity,  authenticity  and  availability  for  all 
information  that  is  processed,  stored,  or  transmitted  in  information 
systems. 

Specific  modules  were  identified  for  inclusion  in  the  tutorials.  Corresponding  labs  were 
then  chosen  from  existing  materials  or  developed.  Additional  materials  were  developed 
and  included  in  the  tutorials.  Members  of  the  CISR  group  were  then  chosen  for  specific 
modules  and  labs.  Modules  were  then  identified  for  pedagogy  or  example  presentation, 
and  labs  for  hands-on  or  demonstration. 

An  important  objective  of  the  tutorials  was  to  provide  instructors  with  insights  regarding 
aspects  of  infonnation  assurance  that  are  difficult  to  teach.  Rather  than  merely  review 
basic  material,  the  tutorials  focused  on  those  difficult  topics  in  an  attempt  to  enable 
participants  with  the  tools  to  make  them  successful  IA  educators. 

The  tutorials  spanned  three  days  with  full  agendas.  The  tutorial  instructors,  all  from  the 
Naval  Postgraduate  School,  presented  technical  lectures,  pedagogy  lectures,  and 
practical,  hands-on  laboratories.  A  copy  of  the  agenda  for  the  tutorials  can  be  found  in 
Appendix  A. 

Assessment 

Following  each  tutorial  a  questionnaire  was  given  to  the  participants  to  allow  for 
assessment  of  the  program.  A  sample  assessment  is  provided  in  Appendix  C.  These 
provided  valuable  feedback  on  the  different  modules  within  the  tutorial  sessions.  Since 
applicants  were  able  to  write  in  comments,  some  feedback  reflected  personal  interests. 
Overall,  there  were  a  number  of  consensuses: 

•  The  three-day  length  of  the  tutorials  was  appropriate. 

•  The  part  of  the  tutorials  found  most  helpful  was  the  labs. 

•  There  is  desire  for  information  on  the  topics  of  ethics,  Cyber  law,  and  grant 
writing. 

•  Desire  to  have  course  notes  and  lab  material  available  to  use  in  their  classrooms. 
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•  Discussion  groups  during  lunch  and  the  breaks  were  very  useful. 

These  comments  influenced  the  tutorial  materials  and  agenda  in  the  second  year. 

A  second  year  participants  stated: 

My  metric  for  evaluating  workshops  is,  "did  I  get  a  gold  nugget  for  each  hour  invested?" 
I  certainly  got  my  nuggets  per  hour  from  this  collection  of  presentations  . . . 

Followup 

The  multi-year  format  has  allowed  faculty  attending  the  tutorials  to  spend  time  in  their 
own  environment  and  return  to  the  workshop  with  experiential  questions  and  insight. 
Returning  participants  were  encouraged  to  present  their  experiences  and  results  in  the 
paper  session. 

To  allow  participants  to  share  their  experience  in  using  the  material  presented  in  the 
workshop,  they  were  asked  to  prepare  either  reports  or  papers.  Papers  were  included  in 
the  proceedings  of  the  WECS  6  workshop,  which  followed  the  tutorials  in  2004.  All 
participants  from  2003  were  invited  to  participate  in  the  workshop  and  to  present  papers. 

Reports  were  at  least  two  pages,  and  papers  were  5,000  words  or  seven  pages. 
Participants  were  requested  to  address  the  following  topics  and  questions: 

•  Your  IA  objectives  for  the  2003-2004  academic  year 

•  What  did  you  do  to  incorporate  WECS5  materials? 

•  How  many  hours  of  WECS  materials  did  you  incorporate  into  lecture  or 
laboratory  course  work? 

•  Did  you  do  anything  specifically  for  or  with  groups  underrepresented  in 
Computer  Science? 

•  Did  you  develop  any  new  materials? 

•  Did  you  have  any  publications  from  this  work? 

•  Brief  summary  of  success  and/or  lessons  learned. 
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Project  Participants 

Project  participants  can  be  organized  into  three  groups:  tutorial  instructors,  technical 
support  staff  and  tutorial  participants. 

Tutorial  Instructors 

The  Center  for  Information  Systems  Security  Studies  and  Research  (CISR)  is  fortunate  to 
have  members  with  a  wide  variety  of  backgrounds,  experience,  and  expertise. 
Coordinating  the  pool  of  knowledge  and  being  able  to  have  multiple  presenters  was  a 
major  factor  in  the  success  of  the  tutorials.  The  CISR  members  involved  brought  together 
over  100  combined  years  experience  in  information  assurance  and  computer  security,  and 
backgrounds  in  the  government,  military,  private  industry,  and  professional  affiliations. 

Cynthia  Irvine  has  been  working  in  the  area  of  high  assurance  systems  for  over  15  years. 
At  the  Naval  Postgraduate  School,  she  teaches  an  advanced  graduate  level  course  focused 
on  the  design  and  construction  of  high  assurance  secure  systems. 

George  Dinolt  has  been  a  researcher  and  developer  in  the  area  of  computer  security  for 
over  20  years.  His  current  position  of  Associate  Professor  at  the  Naval  Postgraduate 
School  has  him  teaching  advanced  graduate  level  courses  and  being  a  thesis  advisor. 

Paul  Clark  is  currently  a  Research  Associate  at  the  Naval  Postgraduate  School,  lecturing 
graduate  students  and  perfonning  research  in  the  area  of  computer  security.  His  current 
area  of  interest  revolves  around  the  bettennent  of  computer  security  education  in  the 
academic  environment. 

Deborah  Shifflett  is  a  Research  Associate  at  the  Naval  Postgraduate  School,  where  she 
primarily  works  as  the  financial  officer  for  the  Center  for  Infonnation  Security  Systems 
Studies  and  Research  (CISR)  and  is  co-instructor  for  courses  in  Critical  Infrastructure 
Protection. 

John  D.  Fulp  is  a  Lecturer  in  the  Department  of  Computer  Science  at  the  Naval 
Postgraduate  School.  He  is  a  1987  graduate  of  the  U.S.  Naval  Academy,  and  a  1996 
graduate  of  the  Naval  Postgraduate  School  where  he  earned  his  Masters  in  Computer 
Science.  Mr.  Fulp  is  interested  in  providing  quality  IA  education,  and  in  promoting 
awareness,  understanding,  and  successful  implementations  of  Public  Key  Infrastructures 
(PKI). 
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Timothy  Levin  is  a  Senior  Research  Associate  at  the  Naval  Postgraduate  and  has  spent 
over  15  years  working  in  the  design,  development,  evaluation,  and  verification  of  secure 
computer  systems.  His  current  research  interests  include  management  and  quantification 
of  security  in  heterogeneous  networks,  development  of  costing  frameworks  and 
scheduling  algorithms  for  the  dynamic  selection  of  QoS  security  mechanisms,  and  the 
application  of  fonnal  methods  to  secure  computer  systems. 

Daniel  Warren  is  a  Lecturer  at  the  Naval  Postgraduate  School  and  has  spent  the  last  15 
years  working  in  the  area  of  computer  and  network  security.  He  routinely  teaches  highly 
successful  condensed  weeklong  versions  of  NPS  computer  and  network  security  courses 
to  agencies  such  as  DISA  and  SPAWAR. 

Richard  Scott  Cote  is  a  Lecturer  at  the  Naval  Postgraduate  School,  where  he  lectures,  and 
performs  research.  He  also  holds  certifications  from  both  Microsoft  and  Cisco  and 
continues  to  teach  the  Cisco  Academy  curriculum  at  his  local  community  college,  as  well 
as  leading  a  team  of  local  students  in  national  competitions  on  Remotely  Operated 
Vehicle  (ROV)  design  and  construction,  recently  taking  first  place  in  Discovery 
Channel's  nation  wide  inaugural  ROV  Challenge. 

Technical  Support  Staff 

Naomi  B.  Falby  is  a  research  assistant  at  the  Naval  Postgraduate  School.  She  has 
participated  in  the  development  of  CyberCIEGE,  an  information  assurance  teaching  tool 
in  the  form  of  a  video  game,  and  serves  as  a  configuration  management  assistant  for  the 
Trusted  Computing  Exemplar  Project.  For  this  effort  she  assisted  with  local 
arrangements. 

Matthew  T.  Rose  provides  support  for  the  development  of  web-based  and  printed 
materials.  He  supported  this  project  through  the  development  of  announcements, 
templates,  forms,  and  other  materials. 

David  R.  Riebandt  is  a  system  administration  technician  in  the  CISR  research  group.  He 
supported  the  project  by  setting  up  and  maintaining  laboratory  and  classroom 
demonstration  equipment. 

Scholarship  Participants 

The  following  sections  provide  details  regarding  the  scholarship  participants  who 
attended  the  tutorials  and  workshops. 

Participant  Selection 

Educators  interested  in  attending  the  tutorials  were  required  to  submit  an  application. 
Questions  on  the  application  were  intended  to  assess  the  potential  impact  of  the 
applicant’s  attendance  on  the  infonnation  assurance  program  at  his  or  her  home 
institution.  The  applicants  were  asked  about  their  academic  position  and  its  relationship 
to  the  department  likely  to  be  supporting  an  IA  program,  teaching  experience,  how  they 
influenced  curriculum,  and  their  previous  background  in  information  assurance.  The 
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questionnaire  also  addressed  how  applicants  hoped  to  accomplish  incorporating  the 
tutorial  material  into  lecture  and/or  lab  course  work. 

Applicants  were  requested  to  show  knowledge  and  background  in  computer  science, 
allowing  the  organizers  to  screen  applicants  and  restrict  scholarship  awards  to  those  with 
the  ability  to  follow  the  tutorials  and  participate  in  labs.  All  scholarship  recipients  were 
able  to  state  various  levels  of  individual,  course,  and  department  need  for  computer 
security  education  that  could  be  passed  on  to  the  students. 

Under-represented  Populations 

Because  an  objective  of  the  program  was  to  address  IA  education  in  traditionally  under¬ 
represented  populations,  questionnaire  sections  regarding  the  under-represented  groups  at 
each  institution  were  of  significance  in  selecting  participants.  In  asking  how  applicants 
planned  on  promoting  participation  in  information  assurance  by  under-represented 
groups,  we  were  supplied  with  a  surprising  amount  of  data  on  the  current  activities  of  the 
applicants.  Applicants  also  did  an  excellent  job  identifying  the  under-represented  groups 
pertinent  to  their  institution’s  location. 

Participants  demonstrated  that  they  and/or  their  institution  were  already  involved  in 
promotion  to  under-represented  groups.  The  individual  scholarship  recipients  had  under¬ 
represented  group  promotion  involvements  that  ranged  from  an  open-door  policy 
regardless  of  curriculum,  to  being  a  minority  and  leading  by  example,  to  corporate  and 
non-profit  involvements.  Institutional  involvement  included:  matching  the  ethnic 
percentages  of  the  surrounding  population,  efforts  to  recruit  females,  and  existing  funded 
outreach  programs  for  under-represented  groups. 

Answers  by  scholarship  recipients  reflected  their  ability  to  identify  the  under-represented 
groups  of  their  community.  Many  of  the  participants  have  work  and  in  communities 
where  they  deal  with  the  traditional  under-represented  groups  -  ethnic  minorities  and 
females.  Participants  went  further  to  identify  other  groups:  at-risk  youth,  first  generation 
college  students,  the  rural  area,  geographically  dispersed,  Native  American,  displaced 
workers,  military  reservists,  military  veterans,  limited  transportation,  single  parents, 
conflicting  work  schedules,  and  faculty  peers. 

Pa rticipant  Demographics 

Complete  information  regarding  the  workshop  participants  is  provided  in  Appendix  B. 
This  section  will  provide  a  synopsis  of  the  participant  demographics. 

Scholarship  participants  for  the  2003  program  came  from  Arizona,  California,  Oregon, 
Washington,  and  Nevada.  A  larger  geographic  area  was  covered  in  2004.  Tables  1  and  2 
show  the  geographic  distribution  of  participants. 


State 

Participant 

s 

7 


Arizona 

1 

California 

12 

Oregon 

4 

Washington 

2 

Nevada 

1 

Table  1.  Number  of  Participants  by  State  in  2003 


State 

Participant 

s 

Alabama 

1 

California 

4 

Colorado 

1 

Connecticut 

1 

Hawaii 

3 

Mississippi 

1 

Montana 

2 

New  Mexico 

1 

New  York 

1 

North  Dakota 

1 

Oregon 

1 

Puerto  Rico 

2 

Virginia 

1 

Table  2.  Number  of  Participants  by  State  in  2004 


The  types  of  schools  represented  changed  between  2003  and  2004.  In  2003  out  of  the  20 
participants,  13  came  from  community  colleges,  while  universities  and  four-year  colleges 
wee  represented  by  five  and  two  participants  respectively.  In  2004  there  were  no 
participants  from  four  year  colleges  and  universities  comprised  the  majority,  with  17 
participants,  while  community  colleges  provided  three  participants.  This  change  may 
have  reflected  the  broader  net  cast  in  the  second  year  of  the  program,  as  we  attempted  to 
engage  faculty  from  states  and  commonwealths. 

Outreach  to  colleges  and  universities  serving  traditionally  under-represented  populations 
was  one  of  the  key  objectives  of  the  capacity  building  program.  Table  3  shows  the 
number  of  participant  institutions  that  had  minority  populations  in  various  ranges.  It  can 
be  seen  that  by  more  actively  seeking  colleges  and  universities  with  large  minority 
populations,  it  was  possible  to  better  serve  these  groups,  particularly  in  the  second  year 
of  the  program. 
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Percent  Under-Represented  Students  At  Participant  Institution 

0-20% 

21-40% 

41-60% 

61-80% 

81-100% 

2003 

5 

7 

4 

2 

1 

2004 

6 

2 

5 

3 

4 

Table  3.  Under-Represented  Populations 


Summary 

The  primary  objective  of  the  workshops  was  to  increase  the  capacity  of  the  United  States 
higher  education  enterprise  to  produce  professionals  in  the  fields  of  Information 
Assurance  (IA)  and  computer  security  by  hosting  a  series  of  workshops  for  education  in 
information  assurance.  The  target  audience  for  the  workshops  was  college-level 
educators  who  have  responsibility  for  teaching  curricula  that  are,  or  could  be,  related  to 
Information  Assurance  issues.  Through  carefully  placed  announcements  to  a  wide  range 
of  colleges  and  universities,  the  workshops  have  successfully  included  teachers  from 
institutions  with  a  high  percentage  of  traditionally  under-represented  populations. 

The  workshops  have  broadened  the  IA  knowledge  base  for  attendees,  and  have  provided 
an  overview  of  pedagogical  methods  and  techniques  that  have  proven  successful  for 
teaching  Information  Assurance  topics.  Feedback  has  indicated  that  the  workshops  have 
been  valuable  for  teachers  who  are  new  to  IA  and  need  help  in  getting  started  in  the  field, 
for  faculty  who  are  starting  to  set  up  their  IA  curricula,  as  well  as  for  experienced 
teachers  who  have  benefited  from  the  opportunity  to  exchange  ideas  about  current 
technical  topics  and  teaching  approaches.  The  innovative  fonnat  of  the  workshop  has 
produced  a  fertile  atmosphere  for  learning,  exploration,  and  transfer  of  knowledge. 

Future  workshops  based  on  this  fonnat  could  continue  to  enlarge  the  number  of 
institutions  involved  in  IA  education.  In  addition,  this  format  could  be  applied  to  other 
disciplines. 


9 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


10 


Publications  and  Products 

Publications 

1.  Falby,  Naomi,  Fulp,  J.D.,  Clark,  Paul  C.,  Cote,  R.  Scott,  Irvine,  Cynthia  E.,  Dinolt, 
George  W.,  Levin,  Timothy  E.,  Rose,  Matthew,  and  Shifflett,  Deborah,  "Information 
Assurance  Capacity  Building:  A  Case  Study,"  Proceedings  of  the  Colloquium  on 
Information  Systems  Security  Education,  West  Point,  NY,  June  2004,  pp.  31-36. 

2.  Levin,  Timothy  E.,  and  Clark,  Paul,  C.,  A  Note  Regarding  Covert  Channels,  in 
Avoiding  Fear,  Uncertainty  and  Doubt  Avoiding  Fear,  Uncertainty  and  Doubt: 
Proceedings  of  the  Sixth  Workshop  on  Education  in  Computer  Security,  Monterey, 
California,  July  2004,  pp.  1 1  -  15. 

3.  Fulp,  J.  D.,  The  Bastion  Network  Project,  in  Avoiding  Fear,  Uncertainty  and  Doubt, 
Avoiding  Fear,  Uncertainty  and  Doubt:  Proceedings  of  the  Sixth  Workshop  on 
Education  in  Computer  Security,  Monterey,  California,  July  2004,  pp.  65  -  70. 

4.  Eagle,  Chris  and  Clark,  John  L.,  Capture-the-flag:  Learning  Computer  Security  Under 
Fire,  in  Avoiding  Fear,  Uncertainty  and  Doubt:  Proceedings  of  the  Sixth  Workshop 
on  Education  in  Computer  Security,  Monterey,  California,  July  2004,  pp.  17-21. 

5.  Irvine,  Cynthia  E.,  and  Thompson,  Michael  F.,  Expressing  IS  Policy  Within  a 
Security  Simulation  Game,  in  Avoiding  Fear,  Uncertainty  and  Doubt,  Proceedings  of 
the  Sixth  Workshop  on  Education  in  Computer  Security,  Monterey,  California,  July 
2004,  pp.  43-49. 

6.  Irvine,  Cynthia  E.  and  Rose,  Matthew  T.  (editors),  Avoiding  Fear,  Uncertainty  and 
Doubt:  Proceedings  of  the  Sixth  Workshop  on  Education  in  Computer  Security, 
Monterey,  California,  July  2004. 

7.  Irvine,  Cynthia  E.,  and  Armstrong,  H.  (editors)  Security  Education  and  Critical 
Infrastructures,  Kluwer  Academic  Publishers,  Norwell,  MA,  2003. 

8.  Fulp,  J.  D.,  Training  the  Cyber  Warrior,  in  Security  Education  and  Critical 
Infrastructures,  ed.  C.  Irvine  and  H.  Armstrong,  Kluwer  Academic  Publishers, 
Norwell,  MA,  2003,  pp.  261  -  273. 

9.  Rasmussen,  Craig,  Irvine,  Cynthia  E.,  Dinolt,  George  W.,  Levin,  Timothy,  and  Burke, 
Karen  L.,  A  Program  for  Education  in  Certification  and  Accreditation,  Security 
Education  and  Critical  Infrastructures,  ed.  C.  Irvine  and  H.  Armstrong,  Kluwer 
Academic  Publishers,  Norwell,  MA,  2003.  pp  131-149. 
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Products 


The  Center  for  Information  Systems  Security  Studies  and  Research  at  the  Naval 
Postgraduate  School  Maintains  a  website.  Information  regarding  both  of  the  tutorials 
and  workshops  are  available  as  well  as  the  proceedings  of  the  2004  workshop.  The 
proceedings  of  the  IFIP  workshop  in  2003  are  available  directly  from  the  publisher. 

http://cisr.nps.navv.mil/WECS5/index.htm 

http://cisr.nps.navy.mil/WECS6/index.htm 
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Appendix  A:  WECS  6:  Schedule  of  Events 


Monday,  12  July 


Time 

Location 

Event 

CiSR  Staff 

0830 

ME  Aud. 

Welcome,  Opening  Remarks,  Schedule  Overview 

JD  Fulp 

0900 

ME  Aud. 

(P)  IA  Pedagogy  (Central  Concepts/Ideas  of  IA 
curric.) 

JD  Fulp 

0950 

5-10  Min  Break 

1000 

ME  Aud. 

(C)  Passwords  (Vulnerability,  Strength, 

Mnemonics) 

Paul  Clark 

1030 

ME  Aud. 

(C)  Encryption  (Symmetry,  Strength,  Hashing, 
CIANr) 

Dr.  George 

Dinolt 

1130 

LUNCH 

1230 

Sp51 1 

(L)  Passwords  &  Encryption 

Paul  Clark 

1330 

5-10  Min  Break  &  Movement  to  ME  Auditorium 

1340 

ME  Aud. 

(C)  Malware/Threats  (Virus,  Wonn,  Trojan,  etc.) 

Daniel  Warren 

1500 

5-10  Min  Break 

1510 

ME  Aud. 

(D)  Virus  &  Steganography  Demonstration 

Daniel  Warren 

TBA 

Hors  d’ oeuvres  at  the  Monterey  Hilton 

Tuesd 

ay,  13  July 

0830 

ME 

Aud. 

(P)  I A  Textbooks  (recommendations  &  lessons 
learned) 

Paul  Clark 

0900 

ME 

Aud. 

(C)  Discretionary  vs  Mandatory  Access  Control 

Dr.  George 
Dinolt 

0950 

5-10  Min  Break 

1000 

ME 

Aud. 

(C)  Assurance,  Covert  Channels,  &  Common 

Criteria 

Dr.  Cynthia 
Irvine 

1050 

ME 

Aud. 

(D)  Covert  Channel  Demo 

Dr.  Cynthia 
Irvine 

1100 

ME 

Aud. 

(C)  Critical  Infrastructure  Protection 

Scott  Cote 

1130 

LUNCH  and  roundtable  discussion:  (P)  organization  of  an 

A  curriculum 

1300 

ME 

Aud. 

(C)  Computer  Forensics 

Chris  Eagle 

1400 

5-10  Min  Break  &  Movement  to  Sp5 1 1 

1410 

Sp5 1 1 

(L)  Packet  Analysis  (Ethereal) 

JD  Fulp 

1510 

5-10  Min  Break  &  Movement  to  ME  Auditorium 

1520 

ME 

Aud. 

(P)  Setting  up  an  IA  Lab 

Paul  Clark 

Recommended  visit  to  Farmers  ’  Market  on  Alvarado  St.  ~ 1600-1900 

(P)  ->  Pedagogy  Topic,  (C)  ->  Content  Lecture,  (L)  ->  Lab 
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Wednesday,  14  J 

July 

0830 

ME 

Aud. 

(C)  Identity  Theft 

Bill  Murray 

0920 

5-10  Min  Break 

0930 

ME 

Aud. 

(C)  Firewalls/Perimeter-Defense 

JD  Fulp 

1000 

5  Min  Break  &  Movement  to  Sp5 1 1 

1010 

Sp51 1 

(L)  Symantec  Personal  Firewall  Configuration 

JD  Fulp 

1130 

LUNCH 

1230 

Sp51 1 

(L)  Attacker’s  Perspective  ( take  breaks  as 
convenient) 

Scott  Cote 

1510 

ME 

Aud. 

(C)  The  Administrative  Element  of  IA 

Bill  Murray 

1600 

ME 

Aud. 

Conference  Wrap-up,  Q&A,  Critiques 

Dr.  Cyntia  Irvine 

(P)  ->  Pedagogy  Topic,  (C)  ->  Content  Lecture, 


(L)  Lab 
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Appendix  B:  Participant  Details 

This  appendix  provides  information  regarding  each  scholarship  participant  for  both  years 
of  the  program. 

Year  1  (2003)  Scholarship  Participants 


Name 

School 

State 

School  Type 

Minority 

Anderson,  Kevin 

Sacramento  City  College 

California 

Community  college 

57% 

Becker,  David 

Linn-Benton  Community 

College 

Oregon 

Community  college 

10% 

Bull,  Everett 

Pomona  College 

California 

4-year  college 

27% 

Gee,  Henry 

Evergreen  Valley  College 

California 

Community  college 

85% 

Griffin,  James 

Cabrillo  College 

California 

Community  college 

31% 

Larson,  Randol 

Estrella  Mountain 

Community  College 

Arizona 

Community  college 

42% 

McMahon,  Brian 

Cabrillo  College 

California 

Community  college 

31% 

Mehta,  Jaishri 

Mount  San  Antonio 

College 

California 

Community  college 

77% 

Murphy,  Thomas 

Contra  Costa  College 

California 

Community  college 

35% 

Nico,  Kimberly 

Cal  Poly,  San  Luis 

Obispo 

California 

University 

26% 

Noga,  John 

Cal  State  University, 

Northridge 

California 

University 

39% 

Pannell,  Diane 

Community  College  of 

Southern  Nevada 

Nevada 

Community  college 

40% 

Rylander,  Bart 

University  of  Portland 

Oregon 

University 

15% 

Sande,  Corrinne 

Whatcom  Community 

College 

Washington 

Community  college 

59%  female 

18% 

Snyder,  Jill 

Peninsula  College 

Washington 

Community  college 

Note  a. 
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Swanson,  Parker 

Linn-Benton  Community 

College 

Oregon 

Community 

College 

10% 

Taha,  Richard 

City  College  of  San 

Francisco 

California 

Community  college 

67% 

Tikekar,  Rahul 

Southern  Oregon 

University 

Oregon 

University 

11% 

Note  b. 

Wang,  Huaqing 

Cal  State  University, 

Bakersfield 

California 

University 

48% 

Notes 

a.  Median  student  age  is  36 

b.  Recruits  first-generation  college  students  from  rural  areas. 

Year 2  (2004)  Scholarship  Participants 

Name 

School 

State 

School  Type 

Minority 

Anderson,  Charles 

Western  Oregon 

University 

Oregon 

University 

12% 

Bodwin,  Zenaida 

Northern  Virginia 

Community  College 

Virginia 

Community  college 

38% 

Burroughs,  Ann 

Humboldt  State 

University 

California 

University 

18% 

Cappelino,  Marina 

Genesee  Community 

College 

New  York 

Community  college 

7% 

Cruz,  Alfredo 

Polytechnic  University, 

Puerto  Rico 

Puerto  Rico 

University 

Title  V 

school 

Englert,  Burkhard 

California  State 

University,  Long  Beach 

California 

University 

52% 

California  State 

Garcia,  Steven 

University,  Bakersfield 

California 

University 

48% 
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Gersting,  Judith 

University  of  Hawaii, 

Hilo 

Hawaii 

University 

48% 

90% 

Green,  Lionel 

Chief  Dull  Knife  College 

Montana 

Community  college 

89% 

Note  a 

Kettani,  Houssain 

Jackson  State  University 

Mississippi 

University 

98% 

Note  b 

Lancor,  Lisa 

Southern  Connecticut 

State  University 

Connecticut 

University 

21% 

MacEvoy,  Warren 

Mesa  State  College 

Colorado 

4-year  college 

12% 

Maruyama, 

Robert 

Chaminade  University  of 

Hawaii 

Hawaii 

University 

68% 

Meyers,  Donna 

California  State 

University,  Bakersfield 

California 

University 

48% 

Narang,  Hira 

Tuskegee  University 

Alabama 

University 

76% 

Note  b 

Rodriguez- 

Jimenez,  Othoniel 

Polytechnic  University, 

Puerto  Rico 

Puerto  Rico 

University 

Title  V 

school 

Streff,  Kevin 

Dakota  State  University 

Dakota 

University 

2% 

Tahani,  Hossein 

New  Mexico  Highlands 

University 

New 

Mexico 

University 

75% 

Valgenti,  Victor 

Montana  State 

University,  Billings 

Montana 

University 

9% 

Zimennann, 

Alfred 

Hawaii  Pacific 

University 

Hawaii 

University 

42% 

Notes 

a.  American  Indian  /  Alaskan  Native 

b.  African  American 
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Appendix  C:  Assessment 

Questionnaire  Feedback:  Lecture  and  Lab  RatingsYearl 


Type 

Title 

Score  (5.00  scale) 

P-lecture 

IA  Pedagogy 

4.26 

E-lecture 

Passwords 

4.69 

E-lecture 

Encryption 

4.07 

Lab 

Passwords  &  Encryption 

4.36 

E-lecture 

Malware 

4.13 

E-lecture 

Critical  Infrastructure  Protection 

4.00 

E-lecture 

Discretionary  Vs.  Mandatory  Access  Control 

4.05 

E-lecture 

High-Assurance  Systems 

4.05 

Lab 

DAC  and  the  Common  Criteria 

4.11 

P-lecture 

I A  Textbooks 

4.20 

E-lecture 

Covert  Channels 

4.05 

E-lecture 

The  Administrative  Element  of  IA 

3.98 

Brief 

Using  the  Threats  &  Safeguards  Tutorial  CD 

4.55 

Lab 

Work  Through  Several  Selected  Tutorial  Examples 

4.36 

P-lecture 

Setting  up  an  IA  Lab 

4.00 

Lab 

Vulnerability  Assessment 

4.81 

Overall  WECS  5  rating,  lectures  and  labs 

4.23 

P-lecture:  Pedagogy  lecture 

E-lecture:  Example  lecture 
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Questionnaire  Feedback:  Lecture  and  Lab  RatingsYear2 


Type 

Title 

Score  (5.00  scale) 

P-lecture 

IA  Pedagogy 

4.53 

E-lecture 

Passwords 

4.07 

E-lecture 

Encryption 

3.93 

Lab 

Passwords  &  Encryption 

4.50 

C-lecture 

Malware/Threats 

4.13 

Demo 

Virus  and  Steganography 

4.60 

C-lecture 

Critical  Infrastructure  Protection 

4.43 

C-lecture 

Discretionary  and  Mandatory  Access  Controls 

4.07 

C-lecture 

Assurance,  Covert  Channels  and  Common  Criteria 

4.14 

C-lecture 

Forensics 

4.47 

Lab 

Packet  Analysis  (Ethereal) 

4.73 

P-lecture 

Setting  Up  and  IA  Lab 

4.00 

C-Lecture 

Identity  Theft 

4.27 

C-lecture 

Firewalls/Perimeter  Defense 

4.60 

Lab 

Personal  Firewall  Configuration 

4.27 

Lab 

Attacker’s  Perspective 

4.73 

C-lecture 

The  Administrative  Element  of  IA 

3.93 

Overall  WECS  6  rating,  lectures  and  labs 

4.34 

P-lecture:  Pedagogy  lecture 

E-lecture:  Example  lecture 
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Appendix  D:  WECS  5  Press  Release 

PRESS  RELEASE  30  JUNE  2003 

The  Naval  Postgraduate  School  in  Monterey,  California  recently  hosted  two  important 
conferences  in  the  area  of  computer  security  and  information  assurance.  For  the  first  time, 
and  perhaps  the  only  time,  the  WISE/WECS  conferences  were  combined  to  reach  both 
groups  and  place  side  by  side  the  novice  and  those  responsible  for  their  nation’s  security. 
Both  were  sponsored  by  the  National  Science  Foundation,  and  combined  they  included 
attendees  and  speakers  that  ranged  from  community  college  level  computer  teachers  to  the 
state  of  the  art  experts  from  government  and  international  institutions. 

The  conferences  were  organized  by  the  school’s  Center  for  Information  Systems  Security 
Studies  and  Research  (CISR)  headed  by  Dr.  Cynthia  Irvine.  According  to  Irvine,  CISR  is  “a 
group  of  faculty,  staff  and  students  who  work  to  put  together  both  research  and  educational 
programs  in  the  area  of  information  assurance.  In  other  words,  information  operations 
primarily  directed  toward  network  defense.” 

CISR  makes  an  important  impact  on  the  area  of  computer  security  both  nationally  and 
internationally.  Irvine  adds,  “We’ve  always  had  an  impact  within  the  military,  but  now  we’re 
having  a  ripple  effect  out  to  the  civilian  sector.  In  fact,  we  just  graduated  1 1  of  our  civilian 
Scholarship  for  Service  students  -  our  first  group  -  last  week.  They  will  all  have  jobs  within 
the  government.  So  we’ll  be  having  an  even  wider  impact  than  we  did  before.  The  WECS 
workshop,  I  think,  is  a  great  way  to  enhance  that  impact  and  help  build  national  capacity  and 
awareness  in  information  assurance.” 

One  obvious  way  of  reaching  a  broader  range  of  people  is  through  education.  To  this  end, 
the  Workshop  in  Education  for  Computer  Security  (WECS)  was  offered  to  “take  people  who 
are  educators  in  community  colleges  and  4-year  universities  who  are  trying  to  start  up 
information  assurance  in  their  computer  science  departments  and  teach  them  how  to  then 
teach  their  students.  We  want  to  make  sure  correct  infonnation  is  getting  out,  and  that  they 
can  network  and  get  the  right  resources,”  explained  Naomi  Falby,  Conference  Coordinator. 

“It  is  intended  to  be  a  capacity  building  effort,”  added  Irvine.  This  fifth  WECS  workshop 
took  place  from  June  23-25, 2003  at  the  Naval  Postgraduate  School  and  was  attended  by  20 
faculty  members  from  1 8  different  two  and  four  year  institutions  from  California,  Arizona, 
Nevada,  Washington,  and  Oregon.  Most  received  support  to  attend  the  workshop.  Attendees 
took  classes,  worked  on  computer  lab  exercises,  and  were  involved  in  discussion  groups  to 
help  them  formulate  their  infonnation  assurance  curriculum.  Lunches  and  social  events  were 
organized  to  establish  a  sense  of  community  among  the  participants. 

Used  to  working  with  the  leading  edge  in  the  field  of  information  assurance,  Irvine  said,  “It’s 
been  fun  to  work  with  people  from  a  large  variety  of  colleges  and  teach  them  something 
new,  and  they’re  all  very  enthusiastic.  We’ve  presented  them  with  our  labs,  teaching 
techniques. .  .various  kinds  of  textbooks  they  might  be  using  in  their  classes.” 
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Whereas  CISR  has  had  a  large  program  in  infonnation  assurance  for  over  seven  years, 
one  WECS  attendee,  Everett  Bull  of  Pomona  College,  said  that  at  the  college  and 
university  level,  these  issues  are  just  beginning  to  be  discussed.  “On  campus.  I’m  one  of 
those  people  that’s  yelling  about  security,  and  it’s  really  interesting  to  see  from  here  how 
threatening  it  is,  the  horror  stories,  because,  probably  like  most  colleges,  our  IT 
department  isn’t  particularly  sophisticated.  We  have  people  that  can  get  things  done,  but 
they’re  pretty  much  poking  around  in  the  dark.”  Thus,  this  workshop  was  exactly  what  he 
and  faculty  at  other  academic  institutions  needed. 

Other  reactions  to  WECS  by  its  participants  were  enthusiastic.  According  to  David  Becker 
from  Linn-Benton  Community  College,  “Our  intent  (in  attending  the  workshop)  is  to  learn 
about  security  issues  and  how  to  incorporate  them  into  our  curriculum,  and  I  think  that’s 
been  really  useful.” 

Randy  Larson  of  Estrella  Mountain  Community  College  concurred  saying,  “It’s  raising  more 
questions  which  makes  it  more  beneficial.  I’m  very  passionate  about  infonnation  assurance, 
and  I’m  looking  forward  to  adding  that  into  several  types  of  lower-level  education  as  well 
because  we  also  partner  with  various  high  schools  within  our  community  college  system.  I 
particularly  believe  that  IA  should  start  as  soon  as  they  start  using  the  computer.”  According 
to  Falby,  during  the  next  year  participants  are  required  to  report  back  on  how  they  have 
incorporated  workshop  materials,  examples,  and  teaching  styles  into  their  classroom  and 
curriculum,  thus  insuring  that  information  learned  at  the  workshop  will  find  its  way  into  the 
public  sector.  “We’re  not  sure  what  we’re  going  to  do,  but  we’re  thinking  of  maybe  putting 
in  a  full  elective  level  course  in  information  security,”  commented  Bull. 

One  unique  addition  to  the  WECS  workshop  was  the  inclusion  of  WECS  participants  in 
the  WISE  conference  where  they  were  able  to  hear  from  educators  more  experiences  in 
field  of  computer  security  and  get  a  glimpse  of  ongoing  and  future  developments  in  the 
field  of  infonnation  security  education. 

The  3rd  World  Conference  for  Information  Security  Education  (WISE)  conference  took 
place  on  the  heels  of  WECS,  June  26  -  28,  2003,  and  had  the  goal  of  international 
capacity  building  for  educators  already  in  the  field  of  security  education.  Papers  and 
presenters  came  from  around  the  globe,  spanning  public,  private,  and  military  academic 
institutions.  WISE3  attendees  represented  13  foreign  countries  from  five  continents 
including  the  Canadian  government,  the  University  of  Moscow,  West  Point,  and 
Stockholm  University,  with  industry  representation  by  Cisco  Systems,  Inc.  Two  keynote 
presentations  complemented  the  program:  one  by  Dr.  Peter  Denning,  Chair  of  the  NPS 
Department  of  Computer  Science,  and  a  second  by  Dr.  Dorothy  Denning,  also  of  NPS. 
Presentations  included  such  topics  as  infonnation  assurance  education  in  developing 
nations,  graduate  and  undergraduate  security  programs,  computer  forensics,  hands  on 
laboratories  and  preparing  students  to  defend  against  cyber  attacks. 

The  WISE  conference  was  sponsored  by  the  International  Federation  for  Information 
Processing  and  the  National  Science  Foundation.  Past  WISE  conferences  were  held  in 
Perth,  Australia  and  Stockholm,  Sweden. 

Future  conferences  will  be  the  information  security  education  workshop  in  Toulouse, 
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France  in  2004  and  WISE  4  in  Moscow. 
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